Brazilian users have been targeted by a new self-propagating malware called SORVEPOTEL, which spreads through WhatsApp. The campaign, dubbed Water Saci by Trend Micro, exploits users' trust in the messaging platform to expand its reach across Windows systems. Unlike traditional attacks focused on data theft or ransomware, this threat was primarily designed for speed and mass propagation.
The attack begins with phishing messages sent from already compromised WhatsApp contacts, lending credibility to the communication. The messages contain ZIP attachments disguised as receipts or files related to health applications. There is evidence that the campaign operators also use emails from seemingly legitimate addresses to distribute the malicious files. A notable characteristic is that the messages instruct users to open the file on desktop, suggesting that the attackers may be more interested in compromising businesses than end consumers.
Upon opening the attachment, the victim triggers a Windows shortcut file that silently executes a PowerShell script, downloading the main payload from external servers. The malware establishes persistence on the system by copying itself to the Windows startup folder and executes commands that connect to command and control servers to retrieve additional instructions. Once installed, if the malware detects that WhatsApp Web is active on the infected system, it automatically distributes the malicious ZIP file to all contacts and groups of the victim's compromised account, enabling rapid large-scale propagation.
Of the 477 infections identified, 457 are concentrated in Brazil, primarily affecting entities in the government, public services, manufacturing, technology, education, and construction sectors. The automated propagation results in a high volume of spam messages, frequently leading to account suspension or banning for violating WhatsApp's terms of service. Subsequent updates from Trend Micro revealed that the payload downloaded from the server includes a shellcode component capable of monitoring banking activities, checking browser URLs against a list of 65 Latin American financial institutions, particularly Brazilian ones. Among the notable targets are Banco do Brasil, Bradesco, Binance, Caixa Econômica Federal, Itaú Unibanco, Mercado Pago, Banco do Nordeste, Santander, and Sicredi. The malware can capture screens, log keystrokes, create fake banking security alert overlays, and serve phishing pages to steal credentials and authentication tokens.
This post was translated and summarized from its original version using AI, with human review.
Source: The Hacker News